Among the many changes brought about by the pandemic is the widespread use of QR codes and graphic representations of digital data that can be printed and then scanned with a smartphone or other device.
QR codes have a wide range of uses that help people avoid contact with objects and close interactions with others, including for sharing restaurant menus, email list subscriptions, sales information, and checking in and out of medical and professional appointments.
While barcodes store information along one axis, i.e. horizontally, QR codes store information on both the vertical and horizontal axis, allowing them to store much more data. And that additional amount of data is what makes QR codes so versatile.
QR code scanning is built into many camera apps for Android and iOS. QR codes are most often used to store web links; however, they can store arbitrary data, such as text or images.
When you scan a QR code, the QR reader in your phone's camera decodes the code and the resulting information triggers an action on your phone. If the QR code has a URL, your phone will display the URL. Touch it and your phone's default browser will open the web page.
Dangers of QR codes
QR codes are not inherently dangerous. They are simply a way of storing data. However, just as it can be dangerous to click on links in emails, visiting URLs stored in QR codes can also be dangerous in several ways.
The URL in the QR code may take you to a phishing website that attempts to trick you into entering your username or password for another website. The URL could take you to a legitimate website and trick that website into doing something harmful, such as giving an attacker access to your account.
While such an attack requires a flaw in the website you are visiting, such vulnerabilities are common on the Internet. The URL can take you to a malicious website that tricks another website you are logged into on the same device to perform an unauthorized action.
A malicious URL could open an application on your device and cause you to perform some action. You may have seen this behavior when you clicked on a Zoom link and the Zoom app opened and automatically joined a meeting. While such behavior is usually benign, an attacker could use it to trick some apps into revealing their data.
It is critical that when you open a link in a QR code, you ensure that the URL is secure and from a trusted source. Just because the QR code has a logo you recognize doesn't mean you should click on the URL it contains.
There is also a small chance that the application used to scan the QR code contains a vulnerability that allows malicious QR codes to take over your device.
This attack would succeed simply by scanning the QR code, even if you do not click on the link stored in it. To avoid this threat, you should use trusted applications provided by the device manufacturer to scan QR codes and avoid downloading custom QR code applications.